Craft made a point:
On the server you can set the X-Frame-Options header, which tells the web browser how to treat the page when it is framed. It is possible to set this header to DENY, which blocks all loading of the page via frames. By setting it to SAMEORIGIN you can relax the restrict and only allow framing by pages on the same domain.
On the Apache webserver this directive is set like so (on Debian/Ubuntu servers this is /etc/apache2/apache2.conf):
Code:
Header always append X-Frame-Options SAMEORIGIN
Alternatively if you are using nginx then you can implement it in the following way:
Code:
add_header X-Frame-Options SAMEORIGIN;
Unfortunately this header is only supported on more recent browsers
Now for legacy browsers you will need to drop back to using a JavaScript framebusting code. It goes without saying however that this can be circumvented by a potential attacker through techniques such as double framing and exploiting cross site scripting filters in some browsers.
Code:
if(top != self) { top.location = self.location; }
The latest recommendation from The Open Web Application Security Project (OWASP) is to include the following code in the <head> section of your web page:
Code:
<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This works by disabling the whole page using the CSS style at the beginning and then later on in the javascript checking to see that the page is not framed. It then removes the style from the pages HTML thereby revealing the content. If it is framed then it sets itself as the parent page.
This should work...
Still shit falls down quick, do as Barry said; Enough of this shit
Quote:
Complain to the registry to yank his ticket.
|